Researchers identify year-long cyberespionage effort against Israelis, Palestinians
Recent malware attack against the Israeli police are part of a larger campaign, Norman researchers say
Executive Summary
Researchers believe the recent cyberattack that infected Israeli police computers with malware was possibly part of a larger operation. The supposed year-long cyberespionage operation had targets in both Israel and Palestine. After the discovery of a remote access Trojan (RAT) program was found on some of its systems, the Israeli police shut down its entire computer network. The Trojan was called Xtreme RAT and was delivered in an archive attached to a spoofed email claiming to be from the chief of general staff of the Israel Defense Forces. The attached filed called “IDF strikes militants in Gaza Strip following rocket barrage.doc” dropped other files on the system’s hard drive when executed. These files included a legitimate Word document that was used as bait, an icon file, and an .exe file that was actually the Xtreme RAT installer.
After further research it was noticed that the .exe file was digitally signed with an untrusted, self-generated Microsoft certificate. Windows would not validate the certificate, although the hackers may have hoped that it would trick people who manually inspected the file to allow the malware to bypass the detection system. Investigators also found that the digital signature used in this attack had been used in previous attacks as the hackers had not changed the certificate when generating new files. This led to the determination that the targets were both in Israel and Palestine; while a majority of the malware samples where Xtreme RAT variants. These connected back to hostnames and pointed to the same IP addresses. Researchers believe the attacks are still ongoing and have yet to identify who is behind them.
Analysis
Simple security controls could have prevented this attack from occurring on the Israeli police computers. All computers on the network should be protected by personal firewalls. This would block and detect Trojans’ efforts entering the network. Computers should also be equipped with an up to date anti-virus scanner that can detect malware and automate the removal process. Because the attackers where using an untrusted digital certificate, the network should employ the Online Certificate Status Protocol. This protocol would test the certificate’s own digital signature, the valid period, and possible revocation.
The RAT program was delivered from a spoofed email that was linked to the chief of general staff. In this case employees should be weary of suspicious emails requesting that files be downloaded. The Israeli police should also have an email policy regarding authentication. Although they did make the correct action in shutting down their computer network to prevent the remote intruders from initiating further damage to the system. Furthermore, because the Xtreme RAT program is being widely used and is relatively easy to initiate, the Israeli police and other agencies should be aware of this type of attack and put further specific measures in place to guard against it.
Researchers identify year-long cyberespionage effort against Israelis, Palestinians
Recent malware attack against the Israeli police are part of a larger campaign, Norman researchers say
Executive Summary
Researchers believe the recent cyberattack that infected Israeli police computers with malware was possibly part of a larger operation. The supposed year-long cyberespionage operation had targets in both Israel and Palestine. After the discovery of a remote access Trojan (RAT) program was found on some of its systems, the Israeli police shut down its entire computer network. The Trojan was called Xtreme RAT and was delivered in an archive attached to a spoofed email claiming to be from the chief of general staff of the Israel Defense Forces. The attached filed called “IDF strikes militants in Gaza Strip following rocket barrage.doc” dropped other files on the system’s hard drive when executed. These files included a legitimate Word document that was used as bait, an icon file, and an .exe file that was actually the Xtreme RAT installer.
After further research it was noticed that the .exe file was digitally signed with an untrusted, self-generated Microsoft certificate. Windows would not validate the certificate, although the hackers may have hoped that it would trick people who manually inspected the file to allow the malware to bypass the detection system. Investigators also found that the digital signature used in this attack had been used in previous attacks as the hackers had not changed the certificate when generating new files. This led to the determination that the targets were both in Israel and Palestine; while a majority of the malware samples where Xtreme RAT variants. These connected back to hostnames and pointed to the same IP addresses. Researchers believe the attacks are still ongoing and have yet to identify who is behind them.
Analysis
Simple security controls could have prevented this attack from occurring on the Israeli police computers. All computers on the network should be protected by personal firewalls. This would block and detect Trojans’ efforts entering the network. Computers should also be equipped with an up to date anti-virus scanner that can detect malware and automate the removal process. Because the attackers where using an untrusted digital certificate, the network should employ the Online Certificate Status Protocol. This protocol would test the certificate’s own digital signature, the valid period, and possible revocation.
The RAT program was delivered from a spoofed email that was linked to the chief of general staff. In this case employees should be weary of suspicious emails requesting that files be downloaded. The Israeli police should also have an email policy regarding authentication. Although they did make the correct action in shutting down their computer network to prevent the remote intruders from initiating further damage to the system. Furthermore, because the Xtreme RAT program is being widely used and is relatively easy to initiate, the Israeli police and other agencies should be aware of this type of attack and put further specific measures in place to guard against it.